Follow these guidelines when configuring Transparent
Bridge security chain devices to support decryption brokering:
Each security chain device must be configured with two
interfaces in Transparent Bridge mode; these two interfaces connect
the device to the security chain network. The security chain devices
does not use a local routing table, and the Transparent Bridge interfaces
do not have assigned IP addresses, subnet masks, default gateways.
Do not include devices that modify IP or TCP headers in a
security chain, or be sure to disable any features that perform
these functions. If the security chain returns a session to the
firewall with a modified IP or TCP header, the firewall drops the
sessions as it can no longer match it to the original client-to-server or
server-to-client session.
When configuring multiple security chains, it is a best practice
to deploy enough security chains to provide excess capacity in the
event of a security chain failure. If you enable the firewall to
perform Security Chain Health Checks, and a security chain fails,
the firewall continues to distribute decrypted sessions among the
healthy security chains. If there are not enough healthy chains
to cover the additional load, that single security chain failure
could result in cascading failures as the remaining healthy security
chains are oversubscribed.